Filter policy configuration overview, Service and network port-based filtering – Alcatel-Lucent 7750 SR OS User Manual

Filter Policy Configuration Overview

Page 276

7750 SR OS Router Configuration Guide

Filter Policy Configuration Overview

Filter policies, also referred to as Access Control Lists (ACLs), are templates applied to services or
network ports to control network traffic into (ingress) or out of (egress) a service access port (SAP)
or network port based on IP, IPv6, and MAC matching criteria. Filters are applied to services to
look at packets entering or leaving a SAP or network interface. Filters can be used on several
interfaces. The same filter can be applied to ingress traffic, egress traffic, or both. Ingress filters
affect only inbound traffic destined for the routing complex, and egress filters affect only outbound
traffic sent from the routing complex.

Configuring an entity with a filter policy is optional. If an entity such as a service or network port
is not configured with filter policies, then all traffic is allowed on the ingress and egress interfaces.
By default, there are no filters associated with services or interfaces. They must be explicitly
created and associated. When you create a new filter, default values are provided although you
must specify a unique filter ID value to each new filter policy as well as each new filter entry and
associated actions. The filter entries specify the filter matching criteria.

Only one ingress IP or MAC filter policy and one egress IP or MAC filter policy can be applied to
a L2 SAP. Only one ingress IP filter policy and one egress IP filter policy can be applied to a L3
SAP or network interface. Only one ingress IPv6 filter policy and one egress IPv6 filter policy can
be applied to a L3 SAP or network interface but this can be in combination with an IP filter policy.

Network filter policies control the forwarding and dropping of packets based on IP or MAC match
criteria. Note that non-IP packets are not hitting the IP filter policy, so the default action in the filter
policy will not apply to these packets.

Service and Network Port-based Filtering

IP, IPv6, and MAC filter policies specify either a forward or a drop action for packets based on
information specified in the match criteria. You can create up to 2047 IP, 2047 IPv6, and 2047
MAC filter policies per node although your network can handle up to 65535 policies including
policies pushed out globally or to specific nodes. Within each filter policy, you can create up to
16384 entries.

Filter entry matching criteria can be as general or specific as you require, but all conditions in the
entry must be met in order for the packet to be considered a match and the specified entry action
performed. The process stops when the first complete match is found and executes the action
defined in the entry, either to drop or forward packets that match the criteria.